By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The Luxembourg-based Internet telephony service provider, which allows users to make free calls between computers or low-cost calls to regular telephones not connected to the Internet, said one problem is that "Skype can be made to execute arbitrary code through a buffer overflow when Skype is called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://." Skype could also be used to launch malicious code "during importation of a VCARD that is in a specific non-standard format."

This issue affects Skype 1.1.*.0 through 1.4.*.83 for Windows, the vendor said.

Another problem is a heap overflow condition in the networking routine. "Skype can be remotely forced to crash due to an error in bounds checking in a specific networking routine," Skype said in its advisory. "An attacker who sends a stream of specifically crafted network traffic to a Skype client network can cause the client to overwrite part of the heap, including the heap integrity control data."

Since the attacker can't control the address where the data is written, "the most likely effect will be that the Skype will abort execution due to an internal error, although other unpredictable behavior is possible," the advisory said. "Such a crash will lead to a loss of availability of the Skype application until it is restarted by the user."

This issue affects all Skype releases prior to and including 1.4.*.83 for Windows, all releases prior to and including 1.3.*.16 for Mac OS X; all releases prior to and including 1.2.*.17 for Linux; and all releases prior to and including 1.1.*.6 for Pocket PC.

The fixes come a week after New York-based e-mail security firm MessageLabs Ltd. warned that a new variant of the IRCbot Trojan horse was taking aim at Skype users. The Trojan, also known as Fanbot, was distributed by e-mail, disguised as the newest Skype release -- version 1.4 -- which came out Oct. 10.

E-Handbook

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy